If at first you don't succeed; call it version 1.0
Sunday, 14 October 2007

Finally, AOL have released the new version (v6.5) of AIM.

I've tested this version against the critical vulnerability I've found. While it does fix the specific attack vector of the vulnerability, it still does not utilize the Local Zone lockdown. This means that if someone will found another way to inject a script to a message, it will still be possible to execute arbitrary code from remote.

I've decided to postpone the release of my proof-of-concept, at least until AOL will fix their client properly. This is mainly because it will probably not be so hard to manipulate the PoC and find another way to inject a script, and there's a short way from this to creating a massive IM worm.

Unfortunately, there are no release notes to indicate that there was a security fix in the new version.

You can find more info about the vulnerability at Core's advisory and Ryan's security blog.


Sunday, 14 October 2007 16:04:32 UTC | Comments [0] | Security#
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
Admin Login
Sign In
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.